On 6/12/18 1:03 am, Christof Gerber wrote: > I have a squid 3.5 as forward proxy that does ssl_bump by default. > Some traffic I need to forward in addition to a second proxy by proxy > chaining. The following configuration works for HTTP traffic but not > with HTTPS. I found out through > https://www.spinics.net/lists/squid/msg84767.html that this is because > Squid 3.5 is not capable of doing ssl_bump + proxy chaining because > the first proxy in the chain won't send a CONNECT after ssl_bump was > performed. My question is: > > 1. Is this finding still up-to-date , saying that Squid 3.5 does not > support ssl_bump + proxy chaining. How is it for Squid 4? The situation is better and constantly being improved. But the official releases are still not doing CONNECT to upstream peers in the case where traffic is fully decrypted by the first proxy. Only the cases where decryption is avoided with splice or on_unsupported_protocol tunnel's. IIRC Measurement Factory had an experimental git branch to add CONNECT over non-TLS/SSL peers. I'm not sure what the status is on that now, it has not been submitted for merge auditing yet. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
